HELP US IMPROVE INTERNAL CONTROL SYSTEMS WORLDWIDE
PARTNERS WANTED:
The Internal Control Institute™ (ICI) improves organizational Internal Control worldwide by providing training, products and services and individual Professional Certifications recognized internationally. The Institute's Board of Advisors has determined it would like to further expand into areas where it is not directly represented. ICI provides world-class programs and its intellectual property to affiliates free of charge and shares all program revenue with them. If your organization is interested in partnering with ICI to earn revenue while you contribute to the development of the internal control profession worldwide please contact Dr. Michael Pregmon, Jr., Chief Operations Officer, by email at: [email protected] or by phone at 727-538-4113in the USA.
The Internal Control Institute has developed a CICS Common Body of Knowledge Mini-Assessment that helps an individual determine their knowledge as it relates to governance and control practices. Results point out areas of knowledge that may require additional training and experience. The assessment also provides a measurement to the individual's readiness for CICS certification. The assessment measures core knowledge in eight critical areas including: Internal Control - Principles, Terms and Concepts, Internal Control Environment, Risk Management, Assessing Application Controls, Business System Control Assessment, Risk Assessment, Internal Control Measurement and Reporting, and Governance Practices
Start becoming an Internal Control professional today!
The ICI "Certification Series" has been completely updated and is available online to everyone around the world! Course content prepares individuals to design and/or assess internal control and to assist management in installing internal control processes. In addition, the series prepares candidates for the Certified Internal Control Specialist (CICS) Examination.
Online course pricing has been reduced by over 70%
Internal Control and Organization Structure Flaws
By Michael Pregmon, Jr., Ph.D., CICP
Dr. Michael Pregmon, Jr.
COO and Managing Director
In our last newsletter we reported that inconsistent customer service is often the result of one or more of three common organization problems. Inconsistent customer service is particularly impactive to the organization over time. Customers will often overlook an occasional service "glitch." Repeated occurrences will turn customers away. Unfortunately, disgruntled customers just disappear and say nothing to the provider. Yet, studies show that the unhappy customer will tell at least seven others of poor company performance. The three common flaws are:
Organization structure weakness
Process control failures
Staffing challenges
In this edition, we will address the issue in the first item.
Organization Structure Weakness
Structural flaws cause a span of control issues. Consultant Lew Allen some years ago completed research which revealed that supervisors can effectively manage from three to seven people. This is, of course, a general rule of application. The type of operation certainly needs to be considered. In areas where close supervision is necessary, such as a research lab, perhaps fewer people may be effectively supervised. Most often though, the higher limit is the area where deficiencies occur. Many organizations violate this limit. How can any individual supervisor effectively manage 30 people? This is unrealistic!
Another common flaw is supervisory proximity. Supervisors/leaders need to be near the action to exercise proper control.
As an example, in restaurant operations, the chef is primarily charged with food preparation and quality. He/she needs to stay close to the action in the kitchen. To entrust dining room activities to the chef's domain, strains the control parameters. That is the reason typical restaurant operations enlist the services of a maitre d'hotel to oversee activities in the dining area of the restaurant. And, waiters/waitresses who take guest orders usually deliver these to the guest. This is an internal control assurance activity. To contrast this, here is an example of a flawed organization structure.
This occurs in an assisted living facility (ALF). ALFs are in the health care industry and are a type of hybrid operation between independent apartment living and a skilled nursing activity. ALF operations provide dining room service for all meals, similar to restaurant operations.
Nursing assistants provide the essential services to residents of this ALF. However, during dining periods, these assistants are required to perform dining room table service. This, seemingly, is an effective use of available hours, as dining activities comprise almost 20% of the workday. However, in this operation, the assistants report to the kitchen (chef) to work as servers (waiters and waitresses). There is no actual dining area supervision of these servers during mealtimes. Consequently, 20% of the workday for each of these employees goes unsupervised as it is unrealistic for the chef to provide leadership in the dining room. Further, from an organization standpoint, 20% of these employees' worktime is not monitored and is not assessed. Food is served and follow-up is often non-existent. Further, the employee who takes the resident's food order typically does not deliver the meal to that resident. So, the normal internal control process evident in most restaurants when orders are delivered to guests is non-existent. This causes poor service and residents' dissatisfaction.
Flawed operations such as this are tremendously counterproductive. And, this is inefficient and costly to the company.
Does your organization have such structural weaknesses?
ICI ANNOUNCEMENTS
ICI Affiliate News:
The Internal Control Institute is conducting certification training in a classroom and online formats for the internationally recognized CICS (Certified Internal Control Specialist) certification in internal control. Information on these programs regarding dates and schedules can be found on the Events tab on our Website (Events) or directed to the affiliate named below:
Botswana:
ICI has entered into an agreement with Internal Control Institute of Botswana (ICI Botswana":) as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in this territory. ICI Botswana will be responsible for all development activities in this area, including professional training and Certification. Individuals or companies interested in internal control training or Certification should contact:
ICI has entered into an agreement with Internal Control Institute of Cameroon ("ICI Cameroon") as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in this territory. ICI Cameroon will be responsible for all development activities in this area, including professional training and Certification. Individuals or companies interested in internal control training or Certification should contact:Contact: Eric Kamegne
Better Business Governance - APAC PTE LTD (BBG) has become a representative for Products, Services and Internal Control Certifications (CICS/CICP) in Myanmar and Cambodia. Better Business Governance will be responsible for all development activities, including professional training and Certification. For more information on upcoming activities in this area please contact:
The CICS exam is now being provided in Arabic. Osool Training and Consulting has courses and testing available in Egypt, Jordan, Libya, Muscat, Sudan, Qatar, the United Arab Emirates, Kuwait and Palestine.
Training Plans:
18 - 22 October 2020 - Amman, Jordan
25 - 29 October 2020 - Tunis, Tunisia
27 - 31 December 2020 - Dubai, United Arab Emirates
Interested applicants in the region should contact Osool for scheduling for future programs. For additional information on scheduled ICI Certification and program sessions, please contact:
ICI has entered into an agreement with GRC Consultancy Pte Ltd. (ICI Singapore, Malaysia, Indonesia and Taiwan) as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in those territories.
Individuals or companies interested in internal control training or Certification should contact:
ICI has entered into an agreement with Business and Financial Consulting company in the Republic of Tunisia (hereinafter referred to as "ICI BFC" as its representative for Products, Services and Internal Control Certifications (CICS/CICP) in the Republic of Tunisia. ICI BFC will be responsible for all development activities in this area, including professional training and Certification. Individuals or companies interested in internal control training or Certification should contact:
On Saturday and Sunday 08:30 am - 12:00 am 13:30 pm - 17:00 pm
10/10/2020
For more information on upcoming activities in Vietnam please contact: NGUYEN THANH TUNG (MBA. M.Eng, PhD.) Director, FMIT Institute of Financial Management & Information Technology, Level 5, 126 Nguyen Thi Minh Khai Street, Ward 6, District 3, HCMC, Viet Nam
Each month the staff of The Internal Control Institute reviews hundreds of articles related to Internal Control and Corporate Governance. Here are brief summaries of some of the top articles (along with links to the original article) that may be of interest to you.
According to James Bone, President of Global Compliance Associates, LLC, an ERM risk research firm, "This study is the first of its kind to examine advancements in risk performance of corporate board's risk & audit committees and the risk function. The study includes an exhaustive lit review of corporate boards and enterprise-wide risk management and a global risk survey of risk leadership, advancements in ERM practice and performance measures for risk programs. The findings are provocative and explain the structural, legal and conceptual limitations that have hindered good risk management at the board and ERM level and provides insight into how to enhance risk management at the board and chief risk office level."
In the age of Coronavirus, it could well be time to assess your internal controls beyond a gap analysis. Consider what COSO says about assessing compliance internal controls. In its Illustrative Guide, COSO laid out its views on "how to assess the effectiveness of its internal controls." It went on to note, "An effective system of internal controls provides reasonable assurance of achievement of the entity's objectives, relating to operations, reporting and compliance." Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components "operating together in an integrated approach." One of the most critical components of the COSO 2013 Internal Controls Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.
People say that effective corporate compliance is a team effort-and every overworked, overwhelmed CISO knows that statement is true.
Then comes the next logical question: How do you assemble that team?
For just about every organization, you'll need to create an in-house compliance committee. This is the group of executives from across the whole enterprise who somehow play a role in risk management, and who therefore should also play a role in shaping the compliance program to govern the risks your business faces. OK, the concept is clear enough. Next come the practical questions: Exactly who should serve on the compliance committee? What issues should it address, or not address? And what role does the compliance officer play as leader of this committee?
Question: It has been almost 20 years since the accounting failures at Enron and other high-profile companies and the Sarbanes-Oxley Act (SOX) was passed. Whistleblowers played a key role in the discovery of these failures. How can organizations implement effective whistleblowing programs? According to Brink's Modern Internal Auditing, a reference book on the subject, a whistleblowing program is an arrangement where "an employee or any stakeholder who sees some form of wrongdoing can independently and anonymously report it to an enterprise or to regulatory authorities with no fear of retribution." The first federal laws on whistleblowing derive from the False Claims Act of 1863. The act was created to address fraud by defense contractors during the Civil War. More notable in recent years, publicly traded companies have been required to establish whistleblower programs since the adoption of the Sarbanes-Oxley Act of 2002 (SOX).
Until now, compliance officers have stayed mostly under the government radar. They aren't regulated or licensed, tested or monitored. Will that change? And if so, what might the next stage of life look like for the compliance profession?
I'm going to talk mainly from a U.S. perspective because right now, that's where I'm sitting. That doesn't mean I think the United States is the only country that's important to the discussion, or that another country won't take the lead in regulating compliance officers. The next big change might come from the UK, or somewhere in Europe, Latin America, Africa, or Asia. That's part of the excitement. What is a regulated profession? I like the EU definition: A profession is said to be regulated when access and exercise is subject to the possession of a specific professional qualification.With that in mind, let's look at reasons why "compliance officer" might become a regulated profession.
In the modern landscape of cybersecurity, one uncomfortable truth is clear-managing cyber risk across the enterprise is harder than ever. Keeping architectures and systems secure and compliant can seem overwhelming even for today's most skilled teams.
Dave Hatter, a cybersecurity consultant at Intrust IT and 30 year veteran of the industry, explains, "As more of our physical world is connected to and controlled by the virtual world, and more of our business and personal information goes digital, the risks become increasingly daunting. While it has never been more important to manage cyber risk, it also has never been more difficult." Why is managing cyber risk so much harder today than ever before?
Philippines...The Securities and Exchange Commission (SEC) wants to be more proactive in tracking money laundering and terrorist financing by rating the effectiveness of firms in preventing such activities. On Sept. 24, the regulator issued Memorandum Circular No. 26, which calls for the implementation of an anti-money laundering risk rating system.The SEC will be rating persons and firms using four tiers (weak, needs improvement, satisfactory and strong) to gauge their risk management system in combating money laundering. It will be based on the efficient oversight of a firm's board of directors and senior management, its anti-money laundering policies and internal control and audit, and the effective implementation of these policies.
From suppliers and outsourcers, to service providers and distributors, a third-party breach can occur at any point along your supply chain. As attackers continue to look for ways to infiltrate companies through their partners and the third-party ecosystem continues to grow, so does this risk - last year, 59% of companies experienced a third-party data breach. And it's not just small businesses that are at risk either, even high-profile, international businesses can fall victim of a third-party breach. In 2019, for example, both a US intelligence agency and a large social media company suffered breaches in which confidential information was exposed on publicly-accessible sites run by partners. The problem is, as companies work with a growing number of third parties, they do not always have the resources and processes in place to fully understand and mitigate the risks partners introduce.
"I cannot always control what goes on outside. But I can always control what goes on inside." Wayne Dyer
Help Keep Everyone Informed...
If you see a news story concerning internal control or corporate governance that you feel is important for other professionals to know please send it to us .
ABOUT ICI
The Internal Control Institute™ (ICI) is a worldwide organization devoted exclusively to internal control and corporate governance. The Institute is dedicated to the development of world-class educational programs and best practice guidelines on internal control and corporate governance, based on the Sarbanes-Oxley Act and the COSO internal control framework. Visit us on the web at the Internal Control Institute
Control Chatter is a monthly news summary of the top stories concerning internal control and corporate governance. Control Chatter is prepared by the staff of Internal Control Institute for the benefit of their members and associates. Please consider it for your personal use or pass it on to associates who may have an interest in one or more of the topics by clicking on the Forward email button below.
In the age of Coronavirus, it could well be time to assess your internal controls beyond a gap analysis. Consider what COSO says about assessing compliance internal controls. In its Illustrative Guide, COSO laid out its views on "how to assess the effectiveness of its internal controls." It went on to note, "An effective system of internal controls provides reasonable assurance of achievement of the entity's objectives, relating to operations, reporting and compliance." Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components "operating together in an integrated approach." One of the most critical components of the COSO 2013 Internal Controls Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.
